#!/usr/bin/perl
#
# This test performs checks for network-related capabilties.
#

use Test;
BEGIN { plan tests => 5 }

$basedir = $0;
$basedir =~ s|(.*)/[^/]*|$1|;

# Find a usable ifconfig
if ( -x "/sbin/ifconfig" ) {
    $ifconfig = "/sbin/ifconfig";
}
elsif ( -x "/usr/bin/ifconfig" ) {
    $ifconfig = "/usr/bin/ifconfig";
}
else {
    BAIL_OUT("can not find a copy of ifconfig");
}

#
# Tests for the good domain.
#
# CAP_NET_ADMIN
$result = system "runcon -t test_ncap_t -- $ifconfig lo -promisc 2>&1";
ok( $result, 0 );

# CAP_NET_BIND_SERVICE
$result = system "runcon -t test_ncap_t -- $basedir/test_bind 2>&1";
ok( $result, 0 );

# CAP_NET_BROADCAST - Not done. Kernel does not check this capability yet.

# CAP_NET_RAW
$result = system "runcon -t test_ncap_t -- $basedir/test_raw 2>&1";
ok( $result, 0 );

#
# Tests for the bad domain.
#

# CAP_NET_ADMIN
$result = system "runcon -t test_resncap_t -- $ifconfig lo -promisc 2>&1";
ok($result);

# CAP_NET_BIND_SERVICE; included in can_network by fedora policy
#$result = system "runcon -t test_resncap_t -- $basedir/test_bind 2>&1";
#ok($result);

# CAP_NET_RAW - Domain requires rawip_socket create permission
$result = system "runcon -t test_resncap_t -- $basedir/test_raw 2>&1";
ok($result);

exit;
